After you deploy the image of OceanBase Developer Center (ODC) on all nodes, you need to deploy an NGINX proxy on an ODC node to route your requests to applications on different nodes. To deploy the NGINX proxy, you need to obtain and run the NGINX image on one node, copy the configuration file locally, and then modify the file. After the modification, stop running the NGINX image and then restart it to apply the modified configuration file.
Load the image
Select a node and load and run the NGINX image. You can use the following methods to load the NGINX image:
Pull the image from the Docker warehouse on the host.
Download the image package to a local device, copy the package to the host, and decompress the package.
Pull the image from the Docker warehouse
Ensure that Docker is installed on the host and the host has access to the Internet. Then, run the following command in the command-line tool to pull the NGINX image from the Docker warehouse:
docker pull nginx
Copy the image package to the host and decompress the package
Ensure that Docker is installed on the host and the host has access to the Internet. Then, run the following command on the host to download the image package to a local device:
docker save nginx:latest | gzip - >nginx.tar.gzCopy the image package to the host and run the following command to load the image:
gunzip -c nginx.tar.gz | docker load
Configure the configuration file
Before you start running the NGINX image, you must modify settings of the configuration file. The ODC image package contains templates of the configuration file. You can copy a template to a local device and edit the configuration where necessary. The templates of the configuration file vary, depending on whether you have deployed a self-signed certificate. We recommend that you copy a template based on the deployment and modify the configuration where necessary.
Configure the configuration file that does not contain the self-signed certificate
Run the following command to copy the configuration file from the image package to the host for editing. You can customize the copy path as needed, and replace the tilde (~) with the local path of the configuration file:
docker cp -a <odc_image_name>:/opt/odc/conf/nginx.conf.template ~/<conf_local_path>
The following code shows a template of the configuration file. We recommend that you pay attention to the content that requires changes based on the comments.
# Nginx conf template for http deployment
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
#set 0 to disable request body size check, for support large size file upload
client_max_body_size 0;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# for websocket configuration
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
# load balancing configuration
# notice under_score character are not allowed for upsteram name, 400 Bad Request happens if used
# please use ip_hash strategy
# one server line for each odc-server node
upstream odcbackends {
ip_hash;
# PLEASE CHANGE to real odc-server address (Optional)
server 127.0.0.1:8989;
# add more servers here
}
#https server, proxy to odc-server 8989 port
server {
listen 80;
# uncomment below if ipv6 enabled
#listen [::]:80;
# PLEASE CHANGE to your site domain (Optional)
server_name odc.oceanbase.com;
location / {
proxy_pass http://odcbackends;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_read_timeout 1800;
proxy_send_timeout 1800;
proxy_connect_timeout 75;
proxy_next_upstream off;
}
}
}
Configure the configuration file that contains a self-signed certificate
Run the following command to copy the configuration file from the image package to the host for editing. You can customize the copy path as needed, and replace the tilde (~) with the local path of the configuration file:
docker cp -a <odc_image_name>:/opt/odc/conf/nginx.conf.https.template ~/<conf_local_path>
The following code shows a template of the configuration file. We recommend that you pay attention to the content that requires changes based on the comments.
# Nginx conf template for https deployment
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
#set 0 to disable request body size check, for support large size file upload
client_max_body_size 0;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# for websocket configuration
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
# load balancing configuration
# notice under_score character are not allowed for upsteram name, 400 Bad Request happens if used
# please use ip_hash strategy
# one server line for each odc-server node
upstream odcbackends {
ip_hash;
# PLEASE CHANGE to real odc-server address (Optional)
server 127.0.0.1:8989;
#add more servers here
}
# redirect http to https
server {
listen 80 default_server;
# uncomment below if ipv6 enabled
#listen [::]:80 default_server;
location / {
return 301 https://$host$request_uri;
}
}
# https server, proxy to odc-server 8989 port
server {
listen 443 ssl http2;
# uncomment below if ipv6 enabled
#listen [::]:443 ssl http2;
# PLEASE CHANGE to your site domain (Optional)
server_name odc.oceanbase.com;
# you can use /opt/odc/bin/generate-odc-ssl-certificate.sh
# to generate self certificated SSL certificates
# PLEASE CHANGE certificate file location if unmatched
ssl_certificate /etc/pki/nginx/odcserver.crt;
ssl_certificate_key /etc/pki/nginx/odcserver.key;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
# intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
location / {
proxy_pass http://odcbackends;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_read_timeout 1800;
proxy_send_timeout 1800;
proxy_connect_timeout 75;
proxy_next_upstream off;
}
}
}
Note
You can modify the load balancing configurations to ensure sufficient proxy server timeout. The modification takes effect after you restart the NGINX proxy. We recommend that you set the proxy_connect_timeout parameter to a value of no longer than 75 seconds. For more information, see proxy_connect_timeout.
If you do not set the proxy_next_upstream parameter to off, the NGINX proxy will forward your requests to the next ODC node. In this case, you need to log on to ODC again, and cannot use features related to file upload and download, such as downloading the result set of an asynchronous task.
Start an image
After the configuration file is modified locally, run the following command in the command-line tool to restart the NGINX image. The tilde (~) indicates the local path of the configuration file.
docker run --network host --name nginx -v ~/<conf_local_path>:/etc/nginx/nginx.conf -v /etc/pki/nginx/:/etc/pki/nginx/ -d nginx
The following table lists parameters in the statement.
| Parameter | Description |
|---|---|
| --network host | Specifies to use a network port of the host. You do not need to configure port mapping in this case. If you do not want to directly use the port of the host, you can specify the mapping ports using the -p parameter. For example, -p 8080:80 specifies to map port 8080 of the host to port 80 of the Docker container. Likewise, -p 8443:443 specifies to map port 8443 of the host to port 443 of the Docker container. |
| --name nginx | Sets the name of the container to nginx for easier management. You can use other names, for example, odc-nginx. |
| -v ~/<conf_local_path>:/etc/nginx/nginx.conf | Mounts the Docker container to the specified directory of the host and maps the local files of the host to the Docker container. <conf_local_path> specifies a local path of the configuration file on the host, and then maps the configuration file to the /etc/nginx/nginx.conf file in the Docker container. |
| -v /etc/pki/nginx/:/etc/pki/nginx/ | Maps the /etc/pki/nginx/ path of the host to the /etc/pki/nginx/ path of the Docker container. |
| -d nginx | Specifies to run the Docker container in the background. |